Smitfraud-C.gp virus...please help!

I don't think I have anything Linux related on my computer. I had to look Linux up on the internet just now, lol. Could I have Linux related somethings on my computer and not know?
 
Hi,

Sorry, that message lead me to wrong trails. It's not always Linux related.

When you reboot the system make sure USB flash drive isn't connected. If it still fails then check boot order from BIOS. It should be CD/DVD 1st, HDD 2nd and USB 3rd.
 
SystemLook 30.07.11 by jpshortstuff
Log created at 12:38 on 10/10/2011 by elly
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "erdnt.exe"
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\shadowcopy\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\Windows\ERDNT\9-21-2011\ERDNT.EXE --a---- 163328 bytes [23:37 21/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5
C:\Windows\ERDNT\AutoBackup\9-22-2011\ERDNT.EXE --a---- 163328 bytes [07:04 22/09/2011] [17:02 20/10/2005] 89AFDD29832AA923926BDD4B5F5243D5

-= EOF =-
 
Hi,

Go to C:\Windows\ERDNT\AutoBackup\9-22-2011 folder. Right-click ERDNT.EXE and select "run as administrator".

Let's see if that helps.
 
Hey! We've made some progress (maybe)! Now when I login I get to the desktop screen for about 15 or 20 seconds before I get the BSOD and my computer shuts down. Still the same error code ending in 07E...not sure about the remaining numbers, I can check them if you think it'd be helpful.
 
Hi,

Please run ComboFix again (let it update itself). Post back the report.

Then download fresh version of TDSSKiller and run it leaving all findings untouched. Post back its report too.
 
I presume you intended that I run ComboFix and TDSS in normal mode? I can't do that...as I said it only has about 20 seconds of the desktop before the BSoD comes. This is not long enough for me to log onto the internet and start ComboFix. Should I try in safe mode.
 
Ok, ComboFix was no longer installed on my computer. I assume this is because we restored to a point before ComboFix was installed. So I downloaded it onto a flash drive on another computer, saved it to the desktop of the infected computer in Safe Mode and attempted to run it. It told me AVG was running and I needed to disable it. I attempted to disable but I couldn't (actually I'm not sure in safe mode it was even running). So I uninstalled it figuring I could reinstall again after we get things cleared up. ComboFix still says AVG is enabled. I clicked continue anyway since I had uninstalled AVG. Then I got the following message:

pev.3xe has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available.
 
Hi,

You may close the "pev.3xe has stopped working." -window and ComboFix should continue its run.
 
ComboFix log and tdss log attached. I think I've attached the right things. However, after I closed the pev.3xe message, I think ComboFIx completed normally, but I'm not sure because I left the room and when I came back the computer had restarted. however, there was still a log so I've attached it.
 
ComboFix still gives me the message about AVG before it will run, so I clicked ok again. It gives me the pev.3xe message again, so I clicked close program again. Then at the end after it gets to like step 50 it says "rebooting ..." It happens fast so I can't read much besides rebooting. But I do not get the normal "almost done" screen and display the log. Attached is the log.
 
Hi,

Make sure AVG is disabled before you launch ComboFix. If it still fails then temporarily uninstall AVG.
 
Hi,
I think I mentioned a few posts back that I've already uninstalled AVG, but I'm still getting that message when I run ComboFix.
 
Ran the AVG remover, then ran ComboFix again. Still get message that AVG is running, theat pev.3xe stopped working and then computer crashes at end of combofix.

Here's the AVGremover log if you'd like to have a gander.
 
Hi,

Download fresh copy of ComboFix and ignore AVG message while running CF.
 
I'm not sure what you mean by "ignore AVG message." CF won't continue unless you click 'ok' when you get that message. I did get the AVG message again and clicked ok to allow CF to continue, then I got the pev.exe message again, clicked close program. Same thing happened again at the end of CF, computer crashed w/ ComboFix giving a message about rebooting. The CF log is essentially the same as the CF log I posted last.
 
I meant clicking ok. Did you download fresh copy of ComboFix? Try renaming it to iExPlore.exe and running it.
 
You must log in or register to reply here.
Back
Top